As the chan's refcnt is increased in l2cap_chan_create,
no need to increase it again for l2cap_pi(sk)->chan.
Signed-off-by: Nil Yi <[email protected]>
---
net/bluetooth/l2cap_sock.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index c99d65ef1..4804c311d 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -1831,8 +1831,7 @@ static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
return NULL;
}
- l2cap_chan_hold(chan);
-
+ /* chan's refcnt is held in l2cap_chan_create() */
l2cap_pi(sk)->chan = chan;
return sk;
--
2.17.1
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=531657
---Test result---
Test Summary:
CheckPatch PASS 0.50 seconds
GitLint PASS 0.13 seconds
BuildKernel PASS 677.12 seconds
TestRunner: Setup PASS 456.95 seconds
TestRunner: l2cap-tester PASS 3.15 seconds
TestRunner: bnep-tester PASS 2.15 seconds
TestRunner: mgmt-tester PASS 34.01 seconds
TestRunner: rfcomm-tester PASS 2.50 seconds
TestRunner: sco-tester PASS 2.35 seconds
TestRunner: smp-tester FAIL 2.51 seconds
TestRunner: userchan-tester PASS 2.21 seconds
Details
##############################
Test: CheckPatch - PASS - 0.50 seconds
Run checkpatch.pl script with rule in .checkpatch.conf
##############################
Test: GitLint - PASS - 0.13 seconds
Run gitlint with rule in .gitlint
##############################
Test: BuildKernel - PASS - 677.12 seconds
Build Kernel with minimal configuration supports Bluetooth
##############################
Test: TestRunner: Setup - PASS - 456.95 seconds
Setup environment for running Test Runner
##############################
Test: TestRunner: l2cap-tester - PASS - 3.15 seconds
Run test-runner with l2cap-tester
Total: 40, Passed: 40 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner: bnep-tester - PASS - 2.15 seconds
Run test-runner with bnep-tester
Total: 1, Passed: 1 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner: mgmt-tester - PASS - 34.01 seconds
Run test-runner with mgmt-tester
Total: 448, Passed: 445 (99.3%), Failed: 0, Not Run: 3
##############################
Test: TestRunner: rfcomm-tester - PASS - 2.50 seconds
Run test-runner with rfcomm-tester
Total: 9, Passed: 9 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner: sco-tester - PASS - 2.35 seconds
Run test-runner with sco-tester
Total: 8, Passed: 8 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner: smp-tester - FAIL - 2.51 seconds
Run test-runner with smp-tester
Total: 8, Passed: 7 (87.5%), Failed: 1, Not Run: 0
Failed Test Cases
SMP Client - SC Request 2 Failed 0.038 seconds
##############################
Test: TestRunner: userchan-tester - PASS - 2.21 seconds
Run test-runner with userchan-tester
Total: 3, Passed: 3 (100.0%), Failed: 0, Not Run: 0
---
Regards,
Linux Bluetooth
Hi Nil,
> As the chan's refcnt is increased in l2cap_chan_create,
> no need to increase it again for l2cap_pi(sk)->chan.
>
> Signed-off-by: Nil Yi <[email protected]>
> ---
> net/bluetooth/l2cap_sock.c | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
> index c99d65ef1..4804c311d 100644
> --- a/net/bluetooth/l2cap_sock.c
> +++ b/net/bluetooth/l2cap_sock.c
> @@ -1831,8 +1831,7 @@ static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
> return NULL;
> }
>
> - l2cap_chan_hold(chan);
> -
> + /* chan's refcnt is held in l2cap_chan_create() */
> l2cap_pi(sk)->chan = chan;
can you be a bit more specific what this is fixing?
Regards
Marcel
Greeting,
FYI, we noticed the following commit (built with gcc-9):
commit: c251113f4fa86f02e1026b7c4abbf75ed3e00993 ("[PATCH] net: bluetooth: delete the redundant refcnt increment")
url: https://github.com/0day-ci/linux/commits/Nil-Yi/net-bluetooth-delete-the-redundant-refcnt-increment/20210815-165122
base: https://git.kernel.org/cgit/linux/kernel/git/bluetooth/bluetooth.git master
in testcase: trinity
version:
with following parameters:
number: 99999
group: group-01
test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/
on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <[email protected]>
[ 50.884506][ T2827] ------------[ cut here ]------------
[ 50.887488][ T2827] refcount_t: underflow; use-after-free.
[ 50.890338][ T2827] WARNING: CPU: 1 PID: 2827 at lib/refcount.c:28 refcount_warn_saturate+0xa6/0x100
[ 50.893848][ T2827] Modules linked in: bridge 8021q garp stp mrp llc hidp bnep rfcomm bluetooth ecdh_generic ecc rfkill can_bcm can_raw can crypto_use
r ib_core nfnetlink scsi_transport_iscsi atm sctp ip6_udp_tunnel udp_tunnel libcrc32c sr_mod cdrom sg ata_generic intel_rapl_msr bochs_drm ppdev drm_vram
_helper drm_ttm_helper ttm drm_kms_helper intel_rapl_common crct10dif_pclmul crc32_pclmul crc32c_intel syscopyarea ghash_clmulni_intel rapl ata_piix liba
ta sysfillrect sysimgblt fb_sys_fops ipmi_devintf ipmi_msghandler joydev drm serio_raw i2c_piix4 parport_pc parport ip_tables
[ 50.923352][ T2827] CPU: 1 PID: 2827 Comm: trinity-main Not tainted 5.13.0-rc3-00439-gc251113f4fa8 #1
[ 50.926860][ T2827] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[ 50.932538][ T2827] RIP: 0010:refcount_warn_saturate+0xa6/0x100
[ 50.935394][ T2827] Code: 05 a1 85 77 01 01 e8 d6 50 67 00 0f 0b c3 80 3d 8f 85 77 01 00 75 95 48 c7 c7 38 9f 1a 84 c6 05 7f 85 77 01 01 e8 b7 50 67 0
0 <0f> 0b c3 80 3d 6e 85 77 01 00 0f 85 72 ff ff ff 48 c7 c7 90 9f 1a
[ 50.943923][ T2827] RSP: 0018:ffffb81d4314fde8 EFLAGS: 00010282
[ 50.946846][ T2827] RAX: 0000000000000000 RBX: ffff99f8b0aa9d40 RCX: 0000000000000000
[ 50.950924][ T2827] RDX: ffff99fb6fd27a00 RSI: ffff99fb6fd17d50 RDI: ffff99fb6fd17d50
[ 50.955876][ T2827] RBP: ffff99f88125d000 R08: ffff99fb6fd17d50 R09: ffffb81d4314fc08
[ 50.959209][ T2827] R10: 0000000000000001 R11: 0000000000000001 R12: ffff99f88125c000
[ 50.965544][ T2827] R13: 0000000000000000 R14: ffff99f88125c2f8 R15: ffff99f88125d228
[ 50.972724][ T2827] FS: 00007ffbcd813740(0000) GS:ffff99fb6fd00000(0000) knlGS:0000000000000000
[ 50.978275][ T2827] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 50.982769][ T2827] CR2: 0000555c3810e9f0 CR3: 0000000328410000 CR4: 00000000000406e0
[ 50.987574][ T2827] DR0: 00007ffbcbba8000 DR1: 0000000000000000 DR2: 0000000000000000
[ 50.990848][ T2827] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
[ 50.995960][ T2827] Call Trace:
[ 50.998330][ T2827] l2cap_sock_release+0xc2/0x100 [bluetooth]
[ 51.002490][ T2827] __sock_release+0x3d/0xc0
[ 51.005836][ T2827] sock_close+0x11/0x40
[ 51.008269][ T2827] __fput+0xa7/0x280
[ 51.012738][ T2827] task_work_run+0x69/0xc0
[ 51.015115][ T2827] do_exit+0x3b2/0xb80
[ 51.018001][ T2827] do_group_exit+0x3a/0xc0
[ 51.020387][ T2827] __x64_sys_exit_group+0x14/0x40
[ 51.024713][ T2827] do_syscall_64+0x40/0x80
[ 51.026963][ T2827] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 51.030014][ T2827] RIP: 0033:0x7ffbcd8fd9d6
[ 51.032196][ T2827] Code: Unable to access opcode bytes at RIP 0x7ffbcd8fd9ac.
[ 51.037517][ T2827] RSP: 002b:00007ffc7f5c04c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[ 51.040433][ T2827] RAX: ffffffffffffffda RBX: 00007ffbcd9ee760 RCX: 00007ffbcd8fd9d6
[ 51.046176][ T2827] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[ 51.050571][ T2827] RBP: 0000000000000000 R08: 00000000000000e7 R09: ffffffffffffff80
[ 51.055088][ T2827] R10: 00007ffc7f5c0388 R11: 0000000000000246 R12: 00007ffbcd9ee760
[ 51.059553][ T2827] R13: 0000000000000001 R14: 00007ffbcd9f7428 R15: 0000000000000000
[ 51.062929][ T2827] ---[ end trace a2317e7106aa7089 ]---
To reproduce:
# build kernel
cd linux
cp config-5.13.0-rc3-00439-gc251113f4fa8 .config
make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email
---
0DAY/LKP+ Test Infrastructure Open Source Technology Center
https://lists.01.org/hyperkitty/list/[email protected] Intel Corporation
Thanks,
Oliver Sang